PAM, IAM, Or Both?

Uploaded on 2023-01-06 in TECHNOLOGY--Resilience, FREE TO VIEW

Identity & Access Management (IAM) and Privileged Access Management (PAM) are often misunderstood, having similar features in dealing with users, access, and roles. They also refer to safeguarding data by protecting who has access to systems and what manipulation is allowed to sensitive areas.

Despite these facts, they are different. The role of PAM is to protect users with privileged access to sensitive data such as System Administrators or Developers.

Privileged credentials (also called privileged passwords) are a subset of credentials that provide elevated access and permissions across accounts, applications, and systems. Privileged passwords can be associated with human application, service accounts, and more. Secure Shell Protocol (SSH) keys are one type of privileged credential, used across enterprises, to access servers and open pathways to highly sensitive assets.

Privileged account passwords are often referred to as ‘the keys to the IT kingdom’ as, in the case of superuser passwords, they can provide the authenticated user with almost limitless privileged access rights across an organisation’s most critical systems and data. With so much power inherent of these privileges, they can be an area for abuse by insiders and are highly coveted by hackers. Forrester Research estimates that 80% of security breaches involve privileged credentials.

IAM on the other hand focuses on business users or third parties, controlling the access and experience these users are given within an application or service. Frequently IAM is linked to zero trust measures and strong authentication.

In many cases companies think that by adding an IAM solution it will take care of the privileged users as well. But this is a mistake, as PAM goes far broader in its controls and should be the first authentication measure deployed as PAM solutions take security and compliance a step further, helping IT teams to control privileged users and accounts.

In short, IAM manages identities for common accesses that occur in routine activities, PAM controls access of privileged and active users in critical system environments. 
 
PAM systems define which employees, partners, vendors, and applications have what level of access for specific accounts or data. Implementation of PAM is a mix of software, processes, and enforcement, only those with privileged access can have permission to use the most critical data and assets.

Some key features of a PAM system are:

  • Password vault: management and protection of critical credentials through session monitoring.
  • Usage limit: limiting account usage based on a specific time, or a certain approval extent.
  • Discovery: auto-discovery of privileged credentials that may be on the system without the administrator’s knowledge.
  • Visibility: view of what happens when an access is requested, approved, and performed.
  • Audit: recording of evidence from accesses performed correctly or not.

 Both IAM and PAM are useful to protect your organisation from security theft. To fully protect your business from internal and external threats, both IAM and PAM solutions should be deployed.

By using these tools together, companies can eliminate any unprotected coverage gaps from hackers with a complete security solution that regulates password use, monitors user access activity, and facilitates government regulation compliance. It could even save money on cyber insurance premiums.

Companies must ensure that they closely integrate their IAM and PAM tools, this will help avoid redundant processes for privileged and everyday user accounts. With the strong combination of these systems , companies can have trust in automated provisioning of user accounts which enables swift removal of a user profile when a person leaves, or a compromise is detected.

Additionally, using strong user identity management ensures  faster reporting and auditing across all  user accounts, making any form of investigation much easier.

Identity Access Management (IAM) and Privileged Access Management (PAM) are completely different from each other in terms of working, as well as audience. I always advise that a PAM solution should be the primary implementation, followed by a complementary IAM solution, as the exposure of data is far greater when a privileged user is compromised.

Colin Tankard is Managing Director of Digital Pathways

You Might Also Read:

Is It Time To Consolidate Systems?:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« EU Fines Meta $416m
Why We Should Worry About A War On Cybercrime »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

HireVergence

HireVergence

HireVergence is a full service IT staffing and recruiting firm with a focus on cyber and information security.

DNV

DNV

DNV are the independent expert in assurance and risk management. We deliver world-renowned testing, certification and technical advisory services.

Office of the Government Chief Information Officer (OGCIO) - Hong Kong

Office of the Government Chief Information Officer (OGCIO) - Hong Kong

OGCIO supports the development of community-wide information technology infrastructure and setting of technical and professional standards to strengthen Hong Kong’s position as a world digital city.

Ericom Software

Ericom Software

Ericom is a global leader in securing and connecting the digital workspace, offering solutions that secure browsing, and optimize desktop and application delivery to any device, anywhere.

Quantea

Quantea

Our multi-patented solutions - QP Series Network Analytics Accelerator appliance and PureInsight Analytics Software Suite allows you to capture, analyze, store, replay, network traffic data.

Method Cyber Security

Method Cyber Security

Method offers a Cyber Security Risk Management training course for those responsible for the security of industrial automation, control and safety systems.

Pentera Security

Pentera Security

Pentera (formerly Pcysys) is focused on the inside threat. Our automated penetration-testing platform mimics the hacker's attack - automating the discovery of vulnerabilities.

Pointer Brand Protection

Pointer Brand Protection

Pointer Brand Protection is committed to protecting brands of all sizes from a variety of online crimes.

Drip7

Drip7

Drip7 is a micro-learning platform that is re-inventing the way companies train their employees and build lasting cultural change around the importance of cybersecurity.

Cubro Network Visibility

Cubro Network Visibility

Cubro network visibility solutions remove network monitoring ‘blind spots’ to provide enhanced visibility and control of all data transiting a company’s network.

Cyber CNS

Cyber CNS

CyberCNS is a Vulnerability Management Solution that is purpose built for MSPs and MSSPs.

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce has partnered with Purdue University and Carnegie Mellon University to create the Rolls-Royce Cybersecurity Technology Research Network.

ClosingLock

ClosingLock

ClosingLock is the leading provider of wire fraud prevention software for the real estate industry.

HiSolutions

HiSolutions

HiSolutions is a renowned consulting firms for IT governance, risk & compliance in Germany, combining highly specialized know-how in the field with profound process competence.

CFTS

CFTS

CFTS 'Computer Facilities Technical Services' is a Ugandan ICT Support Company that specialises in infrastructure and support services including network security.

Atlas VPN

Atlas VPN

Atlas VPN is a highly secure freemium VPN service with a goal to make safe and open internet accessible for everyone.